Malicious PDF — malware analysis report

Static analysis result for SHA-256 94a1a433c5065189…

MALICIOUS

PDF

41.2 KB Authoring application: Mobipocket Creator
MD5: 07804c8f50ad21e42b2152cd83765f46 SHA-1: cb3d1cf9071459331c39c401adb2712cffa5bcc9 SHA-256: 94a1a433c5065189ef1a9f098c9ec219a57310798c95be9915ff491650ee2d27
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded URLs, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm or redirection scheme. ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports a phishing or malicious redirection intent. The ML classifier also strongly indicated maliciousness. No scripts were extracted, but the primary attack pattern involves leveraging the PDF structure to host numerous external links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mesquitesitting.com/uploads/1/3/0/6/130639463/fc52e33b735.pdf
    • http://pcash.fun/uploads/2020/01/28/477386b.pdf
    • http://zetrocroofing.com/uploads/1/3/0/6/130605179/544269.pdf
    • http://mrstoombs2ndgrade.weebly.com/uploads/1/3/0/2/130273735/3342829.pdf
    • http://plainenglishfordoctors.com/uploads/1/3/0/5/130550789/7956981.pdf
    • http://suwugajal.desarrollo365.com/uploads/2020/01/27/9266228.pdf
    • http://creationresearchontario.weebly.com/uploads/1/3/0/5/130551794/daxomobawa_fewevi_zikasinemevuk.pdf
    • http://amanda-mccall.com/uploads/1/3/0/4/130483514/vesisuvemolofar-wotekov-gizememaju.pdf
    • http://m.kaltydesigns.com/uploads/1/3/0/4/130436357/wopiwi-fogarejemive.pdf
    • http://kyliedionnephotography.com/uploads/1/3/0/3/130323593/bimapogapukopo.pdf
    • http://ilanaleberdesignfolio.com/uploads/1/3/0/2/130289722/5261476.pdf
    • http://thejuiceunion.com/uploads/1/3/0/6/130604950/7240951.pdf
    • http://2001hoytstreet.com/uploads/1/3/0/6/130604232/zegerufonezive.pdf
    • http://nshs.northsmithfieldschools.com/uploads/1/3/0/3/130323469/jusit.pdf
    • http://allisonepeck.com/uploads/1/3/0/5/130545643/1091019.pdf
    • http://pecinkadumbachferri.com/uploads/1/3/0/6/130620687/folurav_nusomezu_wulomeli_dudebalaz.pdf
    • http://wabasoda.worlddoll.ru/uploads/2020/01/29/6cb6efc8488fd65.pdf
    • http://obrothersdetailing.com/uploads/1/3/0/2/130291474/0602684a2.pdf
    • http://themedeventsbymelissa.com/uploads/1/3/0/5/130538992/3597237.pdf
    • http://5pointauto.com/uploads/1/3/0/4/130476318/130476318.html#popeyes+dirty+rice+nutrition+information

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000017dd.bin
294ca3200fa97001b82a2a100a3b9f3c0e89d73170369b22a7e44a3d384a4c6d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17DD 9164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.